How To Send HIPAA Compliant Fax Via EmailtoFax and FaxtoEmail With a Hosted Fax Service Provider

I recently read an article from a fax service provider that claimed sending fax-to-email via a fax service provider was a HIPAA compliant fax solution. As a former Product Manager for MCI's hosted fax service, and as a current fax solution provider, I knew this was incorrect as the PHI is traveling over the public internet which is not HIPAA compliant. This article's purpose is to tell the reader how to be HIPAA complaint when using internet fax.

I currently work with integrated internet fax and OCR applications that created automated data entry applications. One of the applications for this integrated service is EOB processing as well as HCFA processing so we know inbound PHI traversing the internet as an image via internet fax is not HIPAA compliant from working with many customers and evaluating the HIPAA regulations. We know that PHI as an image cannot travel over the internet as an email without the image being encrypted while remaining in HIPAA compliance because the information is not protected. The following information on PHI is from the HHS.gov web site.

What Information is Protected

Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12

· the individual's past, present or future physical or mental health or condition,

· the provision of health care to the individual, or

· the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

Internet Fax Path

Consider the flow of an inbound fax-to-email; a user places a form on a fax machine and sends a fax, it traverses the PSTN as data, it is then converted from data and "packaged" by the hosted fax server as an image and sent via email to the email address mapped to the fax number. The path when traveling the PSTN via data is HIPAA compliant, but unless the path from the host fax service to the email address is a point to point connection like a T-1 or a VPN, or encrypted, like PGP, the email is not HIPAA compliant as it is traveling over the public internet. In the case of an outbound email-to-fax, unless a secure connection exists between the user domain and fax service provider, email-to-fax cannot be HIPAA compliant because once again, PHI is traveling via the public internet.

Based on the challenges of sending HIPAA compliant internet fax, it's difficult for the small end user, but relatively easy for a large inbound application because a VPN can be used. The moral to the story is that many fax service providers are claiming to have a HIPAA compliant fax solution, unless they can explain how the image of PHI is not traveling over the public internet, they are incorrect. Go to for the source on HIPAA compliance.